[jira] [Commented] (WICKET-5539) Incorrect recreation of page in case of PageExpire

Fri, 25 Apr 2014 02:53:28 -0700 

    [ 
https://issues.apache.org/jira/browse/WICKET-5539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980850#comment-13980850
 ] 

Martin Grigorov commented on WICKET-5539:
-----------------------------------------

In the quickstart there is a usage of Form component, not StatelessForm.
But even if it was StatelessForm there are also Ajax components in use. 
Stateful pages cannot be recreated as in their last state after session/page 
expiration.

The form submit request or Link click request is a request to a Wicket 
interface listener (i.e. #onSubmit(), #onClick(), etc.). Their request 
parameters are not used to update the Page's #getPageParameters() in normal 
(not expired) requests. This is the reason why these parameters are not used 
for the recreation of the page too.

Imagine your form submit sends sensitive data, like a password. Without the 
current behavior the sensitive data will appear in the page's url as a plain 
text in the query parameters when a page is recreated. This I would call a BUG !

> Incorrect recreation of page in case of PageExpire
> --------------------------------------------------
>
>                 Key: WICKET-5539
>                 URL: https://issues.apache.org/jira/browse/WICKET-5539
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 6.14.0
>            Reporter: Ilia Naryzhny
>              Labels: expiration, mountBookmarkablePage
>         Attachments: wicket5539.zip
>
>
> There is a bookmarkable page mounted, for example, to:
> /page/${entityId}
> This page contains StatelessForm.
> Submitting of form after session expire lead to following:
> org.apache.wicket.core.request.mapper.MountedMapper invokes 
> AbstractBookmarkableMapper.processListener to obtain IRequestHandler to 
> handle submitting of form. 
> But there is cleaning of PageParameters within processListener on line 256 
> (Wicket 6.14) which cleaning "entityId" parameter as well and created page 
> finally has no "enityId" and (in our case) redirects to 404.
> I see that this cleaning of page parameters was implemented due to 
> Wicket-4594. But I think, just checking for pageId is unsufficient, because 
> pageId might be not null, but actual page may be already expired and new 
> instance should be created.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to